1. Field of Invention
The present invention relates generally to the field of computer and network security. More specifically, the present invention is related to intrusion detection and isolation.
2. Discussion of Prior Art
Prior art solutions proposed to prevent intrusion in a host system fall under two main categories: external protection or internal protection. External protection scenarios include (but are not limited to) firewalls and routers which provide protection against various attacks (e.g., denial of service or DoS attacks) on a network infrastructure. The firewall approach prevents unauthorized access from an outsider (such as, an unauthorized user or hacker) by monitoring traffic on critical incoming ports. The firewall security layer is a control layer inserted between a local private network and an outside internet network. The firewall security layer permits only some traffic to pass through. The firewall is configured by a host master of the local private network based on the local private network's security policy. For example, the firewall can be configured to block: (a) traffic of a certain type, (b) traffic from certain addresses, or (c) traffic from all but a predetermined set of IP addresses. Firewalls also provide several schemes such as port forwarding and DMZ type applications. Additionally, they can, but often do not, limit outgoing port connections. The firewall, moreover, cannot block all IP addresses. An attacker (outsider, unauthorized user or hacker) is able to exploit this vulnerability. In this scenario, the attacker masks any harmful intent at the beginning of a session, gains access to sensitive data, and at a later point, attacks the host system. The firewall security layer has to update the harmful addresses after such attack or intrusion occurred. Thus, the firewall solution fails to offer a real-time blocking solution with regard to such harmful IP addresses.
Internal protection schemes have been designed to prevent breaches in security through the use of file permission, directory access, and execution permission usually set as part of the file system associated with the host. This prevents unauthorized users from accessing sensitive aspects of the system.
The question of how to determine, programmatically, that a system has been breached is a interesting problem. There have been several efforts in the industry that only partial solutions to address this issue.
Whatever the precise merits, features, and advantages of the above mentioned prior art internal or external protection schemes, none of them achieves or fulfills the purposes of the present invention.